Keycloak
221 строка · 8.2 Кб
1/*
2* Copyright 2016 Red Hat, Inc. and/or its affiliates
3* and other contributors as indicated by the @author tags.
4*
5* Licensed under the Apache License, Version 2.0 (the "License");
6* you may not use this file except in compliance with the License.
7* You may obtain a copy of the License at
8*
9* http://www.apache.org/licenses/LICENSE-2.0
10*
11* Unless required by applicable law or agreed to in writing, software
12* distributed under the License is distributed on an "AS IS" BASIS,
13* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14* See the License for the specific language governing permissions and
15* limitations under the License.
16*
17*/
18
19var KeycloakAuthorization = function (keycloak, options) {20var _instance = this;21this.rpt = null;22
23var resolve = function () {};24var reject = function () {};25
26// detects if browser supports promises27if (typeof Promise !== "undefined" && Promise.toString().indexOf("[native code]") !== -1) {28this.ready = new Promise(function (res, rej) {29resolve = res;30reject = rej;31});32}33
34this.init = function () {35var request = new XMLHttpRequest();36
37request.open('GET', keycloak.authServerUrl + '/realms/' + keycloak.realm + '/.well-known/uma2-configuration');38request.onreadystatechange = function () {39if (request.readyState == 4) {40if (request.status == 200) {41_instance.config = JSON.parse(request.responseText);42resolve();43} else {44console.error('Could not obtain configuration from server.');45reject();46}47}48}49
50request.send(null);51};52
53/**54* This method enables client applications to better integrate with resource servers protected by a Keycloak
55* policy enforcer using UMA protocol.
56*
57* The authorization request must be provided with a ticket.
58*/
59this.authorize = function (authorizationRequest) {60this.then = function (onGrant, onDeny, onError) {61if (authorizationRequest && authorizationRequest.ticket) {62var request = new XMLHttpRequest();63
64request.open('POST', _instance.config.token_endpoint, true);65request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");66request.setRequestHeader('Authorization', 'Bearer ' + keycloak.token);67
68request.onreadystatechange = function () {69if (request.readyState == 4) {70var status = request.status;71
72if (status >= 200 && status < 300) {73var rpt = JSON.parse(request.responseText).access_token;74_instance.rpt = rpt;75onGrant(rpt);76} else if (status == 403) {77if (onDeny) {78onDeny();79} else {80console.error('Authorization request was denied by the server.');81}82} else {83if (onError) {84onError();85} else {86console.error('Could not obtain authorization data from server.');87}88}89}90};91
92var params = "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&client_id=" + keycloak.clientId + "&ticket=" + authorizationRequest.ticket;93
94if (authorizationRequest.submitRequest != undefined) {95params += "&submit_request=" + authorizationRequest.submitRequest;96}97
98var metadata = authorizationRequest.metadata;99
100if (metadata) {101if (metadata.responseIncludeResourceName) {102params += "&response_include_resource_name=" + metadata.responseIncludeResourceName;103}104if (metadata.responsePermissionsLimit) {105params += "&response_permissions_limit=" + metadata.responsePermissionsLimit;106}107}108
109if (_instance.rpt && (authorizationRequest.incrementalAuthorization == undefined || authorizationRequest.incrementalAuthorization)) {110params += "&rpt=" + _instance.rpt;111}112
113request.send(params);114}115};116
117return this;118};119
120/**121* Obtains all entitlements from a Keycloak Server based on a given resourceServerId.
122*/
123this.entitlement = function (resourceServerId, authorizationRequest) {124this.then = function (onGrant, onDeny, onError) {125var request = new XMLHttpRequest();126
127request.open('POST', _instance.config.token_endpoint, true);128request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");129request.setRequestHeader('Authorization', 'Bearer ' + keycloak.token);130
131request.onreadystatechange = function () {132if (request.readyState == 4) {133var status = request.status;134
135if (status >= 200 && status < 300) {136var rpt = JSON.parse(request.responseText).access_token;137_instance.rpt = rpt;138onGrant(rpt);139} else if (status == 403) {140if (onDeny) {141onDeny();142} else {143console.error('Authorization request was denied by the server.');144}145} else {146if (onError) {147onError();148} else {149console.error('Could not obtain authorization data from server.');150}151}152}153};154
155if (!authorizationRequest) {156authorizationRequest = {};157}158
159var params = "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&client_id=" + keycloak.clientId;160
161if (authorizationRequest.claimToken) {162params += "&claim_token=" + authorizationRequest.claimToken;163
164if (authorizationRequest.claimTokenFormat) {165params += "&claim_token_format=" + authorizationRequest.claimTokenFormat;166}167}168
169params += "&audience=" + resourceServerId;170
171var permissions = authorizationRequest.permissions;172
173if (!permissions) {174permissions = [];175}176
177for (var i = 0; i < permissions.length; i++) {178var resource = permissions[i];179var permission = resource.id;180
181if (resource.scopes && resource.scopes.length > 0) {182permission += "#";183for (var j = 0; j < resource.scopes.length; j++) {184var scope = resource.scopes[j];185if (permission.indexOf('#') != permission.length - 1) {186permission += ",";187}188permission += scope;189}190}191
192params += "&permission=" + permission;193}194
195var metadata = authorizationRequest.metadata;196
197if (metadata) {198if (metadata.responseIncludeResourceName) {199params += "&response_include_resource_name=" + metadata.responseIncludeResourceName;200}201if (metadata.responsePermissionsLimit) {202params += "&response_permissions_limit=" + metadata.responsePermissionsLimit;203}204}205
206if (_instance.rpt) {207params += "&rpt=" + _instance.rpt;208}209
210request.send(params);211};212
213return this;214};215
216this.init(this);217
218return this;219};220
221export default KeycloakAuthorization;222